Description
This article describes how to authenticate PKI users on FortiGate via SSL VPN using two factor authentication with certificate.
The existing SSLVPN policies needs to be adapted in case new groups are added in this setup.
In general a CA certificate is needed which sings user certificates that the users can use to authenticate themselves against other entities.
Those client certificates will also be used in this article.
Solution
- Set up the PKI for this first.
- Import the users CA Certificate to the FortiGate by going to System -> Certificate -> Import CA Certificate (.crt).
Note:
This article describes how to authenticate PKI users on FortiGate via SSL VPN using two factor authentication with certificate.
The existing SSLVPN policies needs to be adapted in case new groups are added in this setup.
In general a CA certificate is needed which sings user certificates that the users can use to authenticate themselves against other entities.
Those client certificates will also be used in this article.
Solution
- Set up the PKI for this first.
- Import the users CA Certificate to the FortiGate by going to System -> Certificate -> Import CA Certificate (.crt).
On the client side.
- Import the users certificate signed by the trusted CA with private key and certificate (BOTH are required!) to the client: either on the browsers 'Privacy & Security' section or the Windows 'Certificate Store' to be accessed by other applications as the FortiClient.
- Private key and certificate file can either be in a bundled file as PKCS#12 file (.p12) or as separate .cer/.crt and .key file.
From GUI, under SSL-VPN settings.
From GUI, under SSL-VPN settings.
- Eventually change the server Certificate and select certificate with the subject as the FortiGate FQDN that clients access for VPN, ideally another one signed by a CA that the connecting client is trusting.
Otherwise the user receive warnings about an invalid server certificate.
- Enable require client certificate (radio button in green).
Create a PKI user from CLI.
# config user peerThen the section 'PKI' for the certificate users will appear in the GUI under User & Device -> PKI (after refreshing the GUI).
edit "pki_user"
set ca "CA_Cert_1"
set subject "CN = student"
set two-factor enable
set passwd Pa$$w0rd
next
end
Note:
In the 'set subject field' enter the exact name (CN) that is displayed in the user certificate, it can be very different from this example.
SSL VPN Group.
Add the created PKI user to the SSLVPN group under User&Device -> User Group.
Now test the connection with the browser connection for web mode or the FortiClient for tunnel mode.
Authenticate the remote user, using FortiClient (PKI user with password and certificate):
Authenticate the remote user, using FortiClient (PKI user with password and certificate):
To verify, enable the debug log on from CLI while connecting:
# diagnose debug console timestamp enable
# diagnose debug application fnbamd -1
# diagnose debug application sslvpn -1
# diagnose debug enable
…
2020-05-06 10:13:28 [1250] __fnbamd_build_cert_chain-Chain is complete.
…
2020-05-06 10:13:28 [1460] peer_subject_cn_check-Cert subject 'CN = student'
…
2020-05-06 10:13:28 local auth is done with user 'pki_user', ret=0
Related Articles
Technical Tip: PKI peer user creation for certificate authentication
